Very nice troubleshooting archae86. We now have a better picture on what may be happening. There are some things that are still a bit puzzling. Can you try the windows default ping again without the firewall (or a special rule for ping like for the boinc client). I would like to know if this standard ping still gets dropped somewhere on our end or if Kaspersky is tampering with this standard ping which leads to dropping.
No, we won. Your crunching at E@H is good news, for more reasons than credits - i learnt something quite basic that windows and linux pings are different.
Each time the security products misbehave, spooky action in the network stack follows.
I'd try adding and removing boinc or boinc servers to your exceptions list now to see if you can de-spook K.
I would like to know if this standard ping still gets dropped somewhere on our end or if Kaspersky is tampering with this standard ping which leads to dropping.
it is being dropped upstream, but only of data length = 32 or 33
This just happens to be Windows default length.
agentb@gluon:~/boinc$ ping -s 30 130.75.1.213
PING 130.75.1.213 (130.75.1.213) 30(58) bytes of data.
38 bytes from 130.75.1.213: icmp_seq=1 ttl=243 time=34.4 ms
38 bytes from 130.75.1.213: icmp_seq=2 ttl=243 time=34.4 ms
38 bytes from 130.75.1.213: icmp_seq=3 ttl=243 time=34.2 ms
^C
--- 130.75.1.213 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 34.258/34.399/34.476/0.181 ms
agentb@gluon:~/boinc$ ping -s 32 130.75.1.213
PING 130.75.1.213 (130.75.1.213) 32(60) bytes of data.
^C
--- 130.75.1.213 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6047ms
agentb@gluon:~/boinc$ ping -s 34 130.75.1.213
PING 130.75.1.213 (130.75.1.213) 34(62) bytes of data.
42 bytes from 130.75.1.213: icmp_seq=1 ttl=243 time=34.9 ms
42 bytes from 130.75.1.213: icmp_seq=2 ttl=243 time=34.1 ms
42 bytes from 130.75.1.213: icmp_seq=3 ttl=243 time=34.0 ms
^C
--- 130.75.1.213 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 34.056/34.388/34.947/0.425 ms
This result is repeated upstream at
gate-w1-0.netz.uni-hannover.de (130.75.1.213)
Thanks. The ping issue seems to be unrelated to the Kaspersky issue. Those particular sized ping packets seem to get dropped by the university router for security reasons.
To me it seems that Kaspersky is tampering with the outgoing traffic. The switch of the backend server on our end also included an OS upgrade which also has an updated network stack. It seems that the tampered packets are dropped because they are not RFC-compliant. Unfortunately we can't change this. So you have to exclude the boinc client in the Kaspersky firewall for now.
I think it would be helpful if you also contact Kaspersky and let them know that the "scan" they do on outgoing traffic is tampering with the packets which in this case (scheduler request) leads to a silent packet loss.
Thank you for this workaround with the detailed description. I only had to translate it into german and follow step by step, yes, it works.
I hope that there will be another solution because its not always the best idea to switch off an alarm if its disturbing the work. Perhaps it might be possible to change the server url in some config - file so that there is no redirection needed, which Kaspersky might consider as a man-in-the-middle-attack or similar.
I hope that there will be another solution because its not always the best idea to switch off an alarm if its disturbing the work. Perhaps it might be possible to change the server url in some config - file so that there is no redirection needed, which Kaspersky might consider as a man-in-the-middle-attack or similar.
We deliberately changed the scheduler URL to this canonical form so we can use redirects. This is especially helpful when we need to change the server where the scheduler is running. A change of the URL is only recognized by the client if it can't reach it for several tries. During that time (which may be several days for some) there is no new work or reporting of computed results for the host. We want to avoid that so we have to use redirects to direct clients from the old URL to the new one.
Our servers are sending RFC-conform redirects that are used widely. If Kaspersky would block every redirect you wouldn't be able to surf the Internet. So we don't know what's so special about our redirect or scheduler request that Kaspersky blocks it. The only one to answer that is the company itself.
Our servers are sending RFC-conform redirects that are used widely. If Kaspersky would block every redirect you wouldn't be able to surf the Internet. So we don't know what's so special about our redirect or scheduler request that Kaspersky blocks it. The only one to answer that is the company itself.
And from the early part of the exploration, we determined that only "Boinc client + redirect" was blocked: "browser + redirect" got through OK. That might be worth mentioning in any issue raised with Kaspersky.
I get the same error message (no start tag) as I already mentioned in Backend upgrade scheduled for Wed Nov 18, but I use the Windows firewall, not Kaspersky's. The problem started with the site upgrade. I already have an exception in the firewall for communication between my computers. I extended it to the internet, without success.
Our servers are sending RFC-conform redirects that are used widely. If Kaspersky would block every redirect you wouldn't be able to surf the Internet. So we don't know what's so special about our redirect or scheduler request that Kaspersky blocks it. The only one to answer that is the company itself.
And from the early part of the exploration, we determined that only "Boinc client + redirect" was blocked: "browser + redirect" got through OK. That might be worth mentioning in any issue raised with Kaspersky.
"I think I have another clue Holmes"
The logs show boinc is doing a HTTP POST, not the usual HTTP GET / HTTP HEAD from a browser.
This w3.org specs regarding 301 redirects suggest - the user agent [boinc in this case] must not automatically redirect the request unless it can be confirmed by the user. Kapersky (acting as a proxy) has no way of getting that confirmation (from boinc), so drops the connection.
I get the same error message (no start tag) as I already mentioned in Backend upgrade scheduled for Wed Nov 18, but I use the Windows firewall, not Kaspersky's. The problem started with the site upgrade. I already have an exception in the firewall for communication between my computers. I extended it to the internet, without success.
I'm not the best with Windows Firewall and i'm not running a real Windows system so i can't even test this, (others may be along soon) but if you can try adding the program
C:\Program Files\BOINC\boinc.exe
to the "Allowed programs" this should show (boinc client) and allow it to the
internet. This may or may not work.
Very nice troubleshooting
)
Very nice troubleshooting archae86. We now have a better picture on what may be happening. There are some things that are still a bit puzzling. Can you try the windows default ping again without the firewall (or a special rule for ping like for the boinc client). I would like to know if this standard ping still gets dropped somewhere on our end or if Kaspersky is tampering with this standard ping which leads to dropping.
RE: OK, you guys
)
No, we won. Your crunching at E@H is good news, for more reasons than credits - i learnt something quite basic that windows and linux pings are different.
Each time the security products misbehave, spooky action in the network stack follows.
I'd try adding and removing boinc or boinc servers to your exceptions list now to see if you can de-spook K.
RE: I would like to know
)
it is being dropped upstream, but only of data length = 32 or 33
This just happens to be Windows default length.
agentb@gluon:~/boinc$ ping -s 30 130.75.1.213
PING 130.75.1.213 (130.75.1.213) 30(58) bytes of data.
38 bytes from 130.75.1.213: icmp_seq=1 ttl=243 time=34.4 ms
38 bytes from 130.75.1.213: icmp_seq=2 ttl=243 time=34.4 ms
38 bytes from 130.75.1.213: icmp_seq=3 ttl=243 time=34.2 ms
^C
--- 130.75.1.213 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 34.258/34.399/34.476/0.181 ms
agentb@gluon:~/boinc$ ping -s 32 130.75.1.213
PING 130.75.1.213 (130.75.1.213) 32(60) bytes of data.
^C
--- 130.75.1.213 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6047ms
agentb@gluon:~/boinc$ ping -s 34 130.75.1.213
PING 130.75.1.213 (130.75.1.213) 34(62) bytes of data.
42 bytes from 130.75.1.213: icmp_seq=1 ttl=243 time=34.9 ms
42 bytes from 130.75.1.213: icmp_seq=2 ttl=243 time=34.1 ms
42 bytes from 130.75.1.213: icmp_seq=3 ttl=243 time=34.0 ms
^C
--- 130.75.1.213 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 34.056/34.388/34.947/0.425 ms
This result is repeated upstream at
gate-w1-0.netz.uni-hannover.de (130.75.1.213)
hth
Thanks. The ping issue seems
)
Thanks. The ping issue seems to be unrelated to the Kaspersky issue. Those particular sized ping packets seem to get dropped by the university router for security reasons.
To me it seems that Kaspersky is tampering with the outgoing traffic. The switch of the backend server on our end also included an OS upgrade which also has an updated network stack. It seems that the tampered packets are dropped because they are not RFC-compliant. Unfortunately we can't change this. So you have to exclude the boinc client in the Kaspersky firewall for now.
I think it would be helpful if you also contact Kaspersky and let them know that the "scan" they do on outgoing traffic is tampering with the packets which in this case (scheduler request) leads to a silent packet loss.
Thank you for this workaround
)
Thank you for this workaround with the detailed description. I only had to translate it into german and follow step by step, yes, it works.
I hope that there will be another solution because its not always the best idea to switch off an alarm if its disturbing the work. Perhaps it might be possible to change the server url in some config - file so that there is no redirection needed, which Kaspersky might consider as a man-in-the-middle-attack or similar.
RE: I hope that there will
)
We deliberately changed the scheduler URL to this canonical form so we can use redirects. This is especially helpful when we need to change the server where the scheduler is running. A change of the URL is only recognized by the client if it can't reach it for several tries. During that time (which may be several days for some) there is no new work or reporting of computed results for the host. We want to avoid that so we have to use redirects to direct clients from the old URL to the new one.
Our servers are sending RFC-conform redirects that are used widely. If Kaspersky would block every redirect you wouldn't be able to surf the Internet. So we don't know what's so special about our redirect or scheduler request that Kaspersky blocks it. The only one to answer that is the company itself.
RE: Our servers are sending
)
And from the early part of the exploration, we determined that only "Boinc client + redirect" was blocked: "browser + redirect" got through OK. That might be worth mentioning in any issue raised with Kaspersky.
I get the same error message
)
I get the same error message (no start tag) as I already mentioned in Backend upgrade scheduled for Wed Nov 18, but I use the Windows firewall, not Kaspersky's. The problem started with the site upgrade. I already have an exception in the firewall for communication between my computers. I extended it to the internet, without success.
RE: RE: Our servers are
)
"I think I have another clue Holmes"
The logs show boinc is doing a HTTP POST, not the usual HTTP GET / HTTP HEAD from a browser.
This w3.org specs regarding 301 redirects suggest - the user agent [boinc in this case] must not automatically redirect the request unless it can be confirmed by the user. Kapersky (acting as a proxy) has no way of getting that confirmation (from boinc), so drops the connection.
Edit: include the correct 1.1 w3 url
RE: I get the same error
)
I'm not the best with Windows Firewall and i'm not running a real Windows system so i can't even test this, (others may be along soon) but if you can try adding the program
C:\Program Files\BOINC\boinc.exe
to the "Allowed programs" this should show (boinc client) and allow it to the
internet. This may or may not work.
good luck.